On Thu, 2002-10-24 at 19:04, Gilad Ben-Yossef wrote:
> On Thu, 2002-10-24 at 18:39, Henning P. Schmiedehausen wrote:
> > Gerhard Mack <gmack@innerfire.net> writes:
> > >It gets even worse if almost all of your services are encrypted(like you
> > >would find on an e-commerse site). https will blind an IDS. The last
> > >place I worked only had 3 ports open and 2 of them were encrypted.
> >
> > Nah. Do it right:
> >
> > Internet ----- Firewall ---- SSL Accelerator Box --+---- Webserver
> > HTTPS HTTPS | HTTP
> > |
> > IDS
> >
>
> Eh... not really:
>
> A. If there's a buffer overflow in the SSL Accelerator box the firewall
> wont do you much good (it helps, but only a little).
This is a hardware device. Hardware as in "silicon". I very much doubt
that you can run "general purpose programs" on a device specifically
designed to do crypto. And this is _not_ just an "embedded Linux on ix86
with a crypto chip".
> B. The firewall in this setup provides very little besides packet
> filtering anyway.
You're right. But if I'd let it off, I'd would have gotten mail with
"there is no firewall in your setup, it's not secure". Either way I
lose. :-)
Regards
Henning
-- Dipl.-Inf. (Univ.) Henning P. Schmiedehausen -- Geschaeftsfuehrer INTERMETA - Gesellschaft fuer Mehrwertdienste mbH hps@intermeta.deAm Schwabachgrund 22 Fon.: 09131 / 50654-0 info@intermeta.de D-91054 Buckenhof Fax.: 09131 / 50654-20
- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Thu Oct 31 2002 - 22:00:27 EST